0

I am looking for a way to whitelist an S3 Bucket on my client's server. In this S3 bucket there is a public website, thus, my idea is to find the ip address used for this S3 bucket. However, I have read from the documentation that it is using dynamic addresses based on many servers and it chooses the one with lowest latency. I am looking for a suggestion for the best way to configure the server's firewall to be able to access my public website which is hosted on the S3 Bucket?

Important: Keep in mind that I cannot filter by using URL on the server, but only IP addresses, because the it is quite old.

Some more details on the setup: On the S3 bucket the frontend app lives and on an EC2 instance, there is the REST API for the app. I have configured also Cloudfront for the S3 bucket in order to connect it with my domain.

My goal: To keep my server secure and to allow access only for my website. I have found that there is a list with all the IP addresses that Amazon uses, but the range is huge for the services that I am using:

{
  "ip_prefix": "18.64.0.0/14",
  "region": "GLOBAL",
  "service": "CLOUDFRONT",
  "network_border_group": "GLOBAL"
},
{
  "ip_prefix": "18.196.0.0/15",
  "region": "eu-central-1",
  "service": "EC2",
  "network_border_group": "eu-central-1"
}

Thus, it is not an option to allow all these ranges. I will be happy if one can provide me good solution for this.

EDIT: Since there was no way to assign a static IP for the S3 Bucket, I have found a workaround. On my EC2 instance, where the API was running, I deployed the front-end app and ran it with apache2. Then, assigned a static Elastic IP address to the EC2 instance using this documentation. This gave me the opportunity to allow only this new IP address to the server's firewall rules. Additionally, I added the IP address of the server to the security group of my EC2 instance in order to allow the server to access the webpage.

Improve this question
4
  • This does not make sense to me. If you want to restrict access to the S3 bucket, use an IAM identity (role if the server is running in EC2 or User if the server is running elsewhere). If you want to restrict access to the website that is running from S3 and served through CloudFront, use an Origin Access Identity to restrict access to S3 to ONLY your CF distribution and then use WAF to restrict access to the CF distribution to only the server's public IP.
    – Tim P
    Apr 6 at 2:45
  • Hi @TimP, thanks for the response! However, my need is exactly the opposite - I need to have public access to my bucket. But, I have a secured server that allows very restricted access to the web, with other words, only access to websites that are added in the firewall rules. Thus, I need to add the IP address of the server where the S3 Bucket is running. I have found the ip ranges for the S3 Bucket, but this is not an option cause the range is quite big.
    – Vitomir
    Apr 6 at 16:06
  • As you have found there is no single IP address for S3. It is a service managed by AWS and your particular bucket can use any or all of the IPs in the range for the region where the bucket exists. If the server is running in AWS (EC2 instance) you may be able to use an S3 VPC endpoint. If it is not, you might be able to use AWS StorageGateway to present the S3 bucket as an SMB or NFS share (though I only recommend this for reading data).
    – Tim P
    Apr 17 at 0:40
  • @TimP thanks for the reply and suggestion. I thought of another way and it currently works in my case. I just assigned Elastic IP to my EC2 instance and then put my front-end app on this instance, thus, my server is whitelisting only the new Elastic IP and then I add the server's IP into my security group rules.
    – Vitomir
    Apr 18 at 6:59

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .